Some of the coolest nomenclature exist in this Realm: Enterprise Security Manager, Security Information and Event Management, White/Brown/Black Hats; Threat Hunters, Security Research, Endpoint Security, Encryption, Privacy, Compromise etc.... No Doubt they are more than just mere terms advocating the niche within Cyberspace. However, Cybersecurity is not just about setting up a SOC, IDS and IPS and perimeter security; and have a laid out CIRT or CERT - there are way too many players catering such requirements for many of the Organizations whose core business is not Cybersecurity. Quite often No one talks about Cybersecurity in the beginning
In a world dominated by Technology and Services of all kinds; its a very good question or probably the best question to find an answer for IS: Does your Organization need Support in securing the business ? And begin your Search for the most appropriate Partner to rely on who can help you secure the Business for good. A simple search on internet lead me to this: 500 Companies in the Cybersecurity Space and by any chance if you are an SMB what are your chances of landing the requirement with the right prospective with a right perspective; least of all its 1 in 500
If you have a need for an Insurance; would you go a Company which is selling insurance products or would you visit an Insurance/Financial Advisor? One answer would get you a product from a company regardless of your need and the other would get you a product regardless of the company. So, you would either go with 1 of the 500 companies above or go to someone who can suggest the right approach if not solution; of course the product companies would know their products best - For Sure; but the answer we need first is to the question: Do you Need a Product aka Technology to begin with?
According to the latest Verizon Data Breach report 2019 SMBs fell pray to 43% of the total cyberattacks in the year. SMBs are well aware what Cybersecurity is and no one is spared from the attacks that originate from within. But then does that mean SMBs should have a CIRT; the Finance Head can probably conduct a Cost Benefit analysis and take a stand in favour of or against CIRT. Furthermore to it; is the Finance Head fully capable of translating Business Threats and Impact associated with them - Company would be in safe hands if he/she is.
With regards to the context of this article with an uncertain requirement of cybersecurity and assuming that your organization has a sound philosophy of Risk based Judgements; there is no harm in exploring options before committing to or with one product/solution. Below are few straight forward approaches catering to various budgets in variety of organization types. The companies offering these solutions or services are in one way or the other - Well Established because of the nature of Cybersecurity support which can never be a random affair. Outlined below are few examples only; there can be a ton more out there.
The Companies offering this service must be the King of the Ring kind with full blown Security Infrastructure with all sorts of mature capabilities: <SOC><NOC><IAM><DLP><UTM><IDS><IPS><DRP> etc. Your organization would be an addition to their list and it makes perfect sense leverage the services when there are so many who trust them already. All you should at this point of time is your CBA - Cost Benefit Analysis and hope you have read The Analogy above
This may sound a bit tricky because of that fact that you are in a business for good and you are consulting someone else in risk advisory for your business; which of course appears a bit weird. One good way to retrospect is to check who within your organization has asked 1000 questions to help you arrive at a conscious and unbiased decision. Consulting a risk advisor would be the best choice to put every risk in perspective to the business even if you have 1000 questions and their answers and the Reason - they can dance around your business perimeter; highlight the threats and help you with more than just one solution along with their pros and cons. All you have to do is to Decide on one and go with it. Typical outcome of a Risk Consulting exercise is a Project - once chartered can help you attain the business objective if not achieve
The What...??? Or may be: A service which can tell you whether you Need Cybersecurity Support in the first place: There is Integrated Risk Management associated with Risk Advisory which can probably highlight the need for such support but may not go all the way to set you up Right from the Basics. Whether your organization has a CIRT or ITHelpdesk or any other form of IT Support; the first and foremost aspect is to gauge the level of knowledge the employees have with respect to an incident attempt, means of compromise and consequences; the result of which forms the Awareness Baseline of the Organizations Security Posture. This baseline highlights the required gravity and emphasis to be placed in the Security domain. The evaluation of the baseline would guide towards the development and implementation of a security program/initiative which can be assessed at regular intervals to establish the improvements in the Security Posture of the Organization. If we have to go by the Verizon data breach report; SMB requires this kind of a service more than any other industry.
And yes; All the above, unusual or not, are descriptions of various Cybersecurity services any organization can benefit from.